Post Fri Aug 28, 2009 11:52 am

Twitter XSS Vulnerability Not Yet Fixed

A major cross-site-scripting vulnerability in Twitter that could result in a user's account being taken over has yet to be fixed despite Twitter's claim that it has, according to the software developer who discovered the bug.

James Slater first described the vulnerability, which allows malicious JavaScript code to be inserted into tweets, Tuesday on the blog of Dave Naylor, a search marketing executive.

Twitter's application programming interface (API), used by developers to create applications to post tweets -- such as TweetDeck, TwitterFox or HootSuite -- does not properly filter the URL of these programs. As a result, users could actually insert malicious JavaScript code along with a URL.

“With a few minutes work, someone with a bit of technical expertise could make a Twitter ‘application' and start sending tweets with it,” Slater explained in a blog post Wednesday. “It can be arranged so that if another Twitter user so much as sees one of these tweets -- and they are logged in to Twitter -- their account could be taken over.”

Because of the bug, attackers could capture account credentials, redirect a user to a site of their choosing, alter a user's tweets or "followers," or send messages from a compromised account.

“The main impact is that it could be abused by anyone really, to steal your [login] details or impersonate your Twitter,” Slater, who works for Naylor's search engine optimization company, Bronco Internet, told on Wednesday.

Twitter was informed about the vulnerability Tuesday before details of it were posted, Naylor said. A member of Twitter's operation team told Naylor that the company had fixed the glitch, but Naylor said the patch doesn't work.

A Twitter spokesperson could not be reached for comment Wednesday.

For complete story: ... le/147352/